Peter Mogensen wrote:Mike Malsman wrote:On 11.Mar.2009, at 9:32 AM, Peter Mogensen wrote:But limiting cn=config access to ldapi:/// ... no luck.
Of course, I have to add a "userPassword" attribute to cn=config.ldif, but it seems to be ignored.
It ought to be rejected/startup should fail; userPassword is not a valid attribute for any cn=config entries.
I guessed so.
Personally I think peername-based access control is a crock. For TCP sockets, IP addresses can be easily spoofed. For Unix Domain sockets, different operating systems have different policies on how/whether Unix permission bits affect them.
The only safe thing to do is assume that any user can access the socket, because that's almost universally true.
Do it right, use SASL/EXTERNAL and use authz-regexp to map Unix credentials to LDAP credentials.
And don't mess around with "userPassword" when "rootpw" is what you need.